Data Protection Journal of India July issue discusses the concept of Human Firewall

Foundation of Data Protection Professionals in India, which is the premier organisation in India dedicated to Privacy and Data Protection has come out with its latest issue of Data Protection Journal of India (

DPJI is presently a journal published on internet and its issues are available at The current issue is the 7th issue in the series. The earlier issues covered different aspects of Data Protection

In the past issues several interesting topics such as the Valuation of Data, the PDPSI framework (Now renamed as DPCSI framework), the need for compliance culture to be developed in India have been discussed.

In the current issue an important aspect of Data Protection namely the role of people have been discussed.

By focussing on the concept of “Human Firewall” a focus has been brought to the use of humans to develop a security cover to combat the risk of privacy and information security. Just as technology tools such as encryption, firewall and Intrusion detection systems are used to combat technology risks, this concept envisages that human skills have to be used for risk mitigation.

The involvement of humans as part of the security posture is important both because insider frauds constitute a large percentage of cyber risks and cannot be mitigated by policies, procedure and technology. Also even the technology or policy controls have to be implemented by the humans only and motivating them to be “Security Champions” is necessary.

This concept has been well ingrained in our earlier discussions on “Vulnerabilities in human space” and “Theory of Information Security Motivation” etc.

We had also incorporated several principles of using human resources in the unique indigenous framework for Privacy and Data Protection, namely the DPCSI (Data Protection Standard of India). In particular, we had introduced a standard titled

“Distributed Responsibility, along with implementations for Augmented HR policy which included incentivisation and dis incentivisation for motivational purpose. Further the “Augmented Whistle-blower policy” extended the concept to a “Human IDS system”. has also been discussing from time to time, concepts such as the “Human Bomb”, “Deviant Minds in Workforce”, “Technology Intoxication” etc all revolving around the concept of “Mitigating human Risks” in Cyber Crime prevention.

It was therefore a pleasure to observe that Dr Anirban Ghosh, a professional working in BT group had actually worked on a research thesis on the topic of “Human Firewall” and with his permission the entire thesis has been reproduced in the July issue of the  journal.

We hope that professionals interested in the field of Cyber Psychology, Human Resource Management  and related topics would find the issue worth going through.

Kindly do share the copy within your organization as a part of your knowledge management.

Any queries on any of the topics are welcome.




Posted in Uncategorized | Leave a comment

It is time to build a Compliance Culture

The IT community has gone through the phase of discussing the need for building an “Information Security” culture in the organization. There after we also went through the phase of building a “Privacy Culture”.

In both these phases, we focussed on the people in the organization and tried to educate them on security issues and privacy issues.

While the efforts for building an information security culture and privacy culture continue, they are now being subsumed by the new requirement of building a “Compliance Culture” in organizations.

This requirement is  typical of the Indian market where we always stretch the compliance requirement till we are forced to comply.

The time has therefore come now to build a “Compliance Culture” in an organization. In this context, an “Organization” is the aggregation of the senior executives who have gone through the implementation of measures in their respective work places to ensure that their subordinates are impregnated with the importance of information security and privacy and why they all need to change their attitudes to work and attitudinally re-orient themselves to practice better security and privacy ethics and technology in their day to day work.

FDPPI is now embarking on leading Indian organizations into this phase through its program.. “Data Trust Score, the future of Privacy Protection”.

“Data Trust Score” or DTS, is the suggested measure of “Maturity of Data Protection Law Compliance” in India. It is a suggested deliverable of a data auditor who audits the data protection practices of a company in India. It works like the “Credit Rating” assigned for financial instruments by Credit rating agencies such as CRISIL or ICRA.

FDPPI which has created an eco-system for certified Data protection audits based on the indigenously developed framework of DPCSI (Data Protection Compliance Standard of India) is adopting the DTS-DPCSI, as  model for calculation of DTS on the DPCSI framework.

DTS-DPCSI is the first of its kind concept and would be the forerunner of similar assessment yardsticks that will emerge in future for other frameworks also.

The life of a Data Protection Professional will not be complete without understanding the concept of DTS and how it can be applied in their work environment.

Let us start our journey in understanding the concept of DTS through a virtual presentation to be made by Naavi on 10th July 2022 at 11.00 am.

For registration, contact Naavi through email at :




Posted in Uncategorized | Leave a comment

Community of NeuroTech and Neuro Rights Professionals

FDPPI would like to form a group of professionals interested in NeuroTech and Neuro Rights to take the study further.

This will be  an exploratory group to identify the requirements of developing Neuro Rights legislation in India and application of Privacy laws in the Neuro tech context.

Interested persons may contact Naavi.


Posted in Uncategorized | Leave a comment

Inviting Contributions to DPJI and JVS

FDPPI, which is often referred to as the “Dada of Data Protection” in India has been publishing a quarterly journal (presently in e-form) in the name of “Data Protection Journal of India”.

The journal started in January 2021 has now seen six editions and they are available at

While we are partially proud of the achievement, we are fully aware that we have miles to go in terms of making DPJI more useful and better looking.

FDPPI believes that it is like a start up and we will not hesitate in doing things even if there could be shortcomings to start with. We shall accept our shortcomings and try to improve further.

However, in order for a project like DPJI to succeed, we need valuable contributions from the community. FDPPI has more than 200 senior professional members in its community but not more than five or six have so far contributed to the journal. This is a surprise given the enormous cumulative experience that the team possesses. Obviously, there is a hesitancy amongst the professionals in putting their thoughts in to writing.

FDPPI believes that ability to communicate through writing and through making presentations to the peers is part of the skills required by a DPO and the Jnaanavardhini as well as DPJI are opportunities available to the members to hone their skills.

I therefore wish that more members try to use these opportunities to present their views to the public and at the same time sharpen their own understanding of the subject.

Presently Mr M G Kodandaraman is in charge of the DPJI content management  and Ms T C Manju is in charge of the Jnaanavardhini Sessions. Those of you who would like to contribute articles to DPJI and also to speak in any of the Jnaana Vardhini sessions.

The next DPJI issue is scheduled for July 2022. Last quarter, the release was delayed but we want to be back on our time schedule for the next issue. We want to also add one section exclusively on “Technology” in our next issue where we want to discuss issues of technology relevant to Privacy Professionals. Since this is the familiar domain for most of our members, we hope members will take up this opportunity and contribute more articles in this domain.

In the Jnaana Vardhini sessions, soon we want to introduce “Members only sessions” at least one per month.  We conducted two such “Star Jnaana Vardhini sessions” in the past and there after continued with free sessions. It is time we re-introduce these Monthly Star Sessions which will be aimed at covering some special topics that will add value to the membership. Watch out for announcements in this regard.

I invite members as well as non members to contribute articles of relevance to the DPJI and send speaking proposals. The requests may be sent by email to fdppi and it will be directed to the relevant persons for further follow up.

Students from educational institutions are also invited to present their papers through DPJI on relevant topics.

FDPPI members may kindly spread this word around so that we can start getting more contributions to the Journal and for Jnaana Vardhini sessions.




Posted in Uncategorized | Leave a comment

Shadow DPAI required for CERT-IN

The JPC for PDPB decided to include parts of Non Personal Data regulation within the provisions of the DPA 2021. In the process a situation of overlapping jurisdiction was created between the ITA 2000 and DPA 2021. Earlier with Section 43A of ITA 2000 being replaced by PDPB2019 gave a clear distinction between “Personal Data Regulation” under PDPB 2019 and “Non Personal Data Protection” under ITA 2000 with the possible “Non Personal Data Governance” under a new act as suggested by Kris Gopalakrishna report.

In a bid to avoid creating a  Non Personal Data Governance Authority of India, the JPC decided to make the DPAI also responsible for Non Personal Data to the extent of Breach notification. This left the door for future regulation on “Non Personal Data Governance” also with the DPAI.

Without going into the merits of whether an authority which is “Privacy Protection Oriented” would be the right authority for “Monetization of Data” which would be the essential part of the Non Personal Data Governance Act, we can note that the decision of the JPC has created overlapping of DPA 2021 with ITA 2000.

ITA 2000 essentially applies to data of all kinds and hence it applies both to personal data and non personal data. To the extent DPA 2021 deals with “Reasonable Security Practice” which was earlier under Section 43A, there is no overlapping of provisions. DPA 2021 also does not cover criminal offences which are covered under Chapter XI of ITA 2000/8. The only offensive section under DPA 2021 could have been covered under ITA 2000 itself. This  section (Section 83) under DPA 2021 relates to “Unauthorized modification of de-identified data back to identified data and thereby diminishing the value of de-identified data” and can be covered under ITA 2000 under Section 43(i) read with Section 66.

If this section 83 DPA 2021 had been removed, DPA 2021 could have remained entirely a “Section 43A supporting compliance legislation”.  This would have maintained the two legislations distinct.

Now that JPC did not factor the existence of a statutory body called CERT-IN, it appears that CERT-IN has decided that it would announce its statutory status and published the latest data breach notification directive of April 28, 2022.

The industry representatives have already got perturbed and ran to the Minister to complain that this would affect the Privacy which he has correctly defended. (Refer indianexpress here)

The recent directive has asserted the power of CERT-IN and hence it cannot be challenged even after DPA 2021 is enacted.

However, a potential conflict situation between DPAI and Director General CERT-IN may arise and both need to show statesmanship in collaborating with each other. Though the CERT-IN and DPAI may resolve their differences, it is likely that the industry will play one against the other for their own advantage and project CERT-IN as an “Official of MeitY” and not to be respected like a DPAI which has 7 august members with expertise in different areas such as Law, Technology, Data Science etc.

In order to prevent the weakening of the perceived role of CERT IN, it is necessary for the Meity and CERT-In to strengthen its perceived position. One suggestion in this regard is given below.

  1. An Advisory Committee should be established by a gazette notification under the chairmanship of Director General, CERT-IN.
  2. The committee shall have at least Six members consisting of experts in the area of Cyber Law, Technology Data Science, Data Security, National Security, grievance redressal experience (Example Arbitration, etc, or a lawyer who is eligible for being appointed as a Judge of a High Court).
  3. The Committee shall meet as often as necessary either through virtual meetings or physical meetings and provide its views on various issues on which the CERT-IN needs to take decisions, in particular when action is to be initiated against an entity under Section 70B(7)
  4. The committee shall also recommend to the CERT-IN to initiate a complaint with a relevant Adjudicator (Under section 46 of ITA 2000) to undertake an inquiry as per the Information Technology (Qualification and Experience of Adjudicating officers and manner of holding enquiry) rules 2003.

Under the above suggestion the CERT-IN and his advisory committee will match the expertise of the DPAI in terms of experience and skills so that any interaction between the CERT-IN and DPAI shall take place with two nearly equally empowered regulatory authorities.

Also under Section 70B(7) action may be initiated by the CERT-IN against any entity that contravenes the directions of the CERT-IN or otherwise fails to report a data breach, by recommending prosecution for a punishment of imprisonment upto 1 year and a fine of Rs one lakh.

Under Section 70B, it may be difficult to impose any penalty on any entity as a deterrent. Such power under ITA 2000 vests only with the adjudicator who can take either a “Suo Moto” cognizance of a contravention of ITA 2000 or act under a complaint which can be filed by any person who can claim compensation for a loss suffered.

If there is a data breach, there would be some affected person who may or may not come forward to file a complaint with the Adjudicating officer. But the Adjudicating officer coming to know of a contravention (which may be through a report submitted by the CERT-IN) can initiate an inquiry. If the inquiry finds that there has been a contravention and there has been a wrongful loss to some body and wrongful gain to some body else, he can order collection of penalty from the person responsible for the loss and hold it in trust for the claims that may arise from any affected victim.

Since the notification of ITA 2000 on 17th October 2000 and the creation of Adjudicating officers through notification of 25th march 2003, there have not been any published reorts of Adjudicating officers imposing fines except on specific complaints preferred by some complainants.

There could be some cases where the Police have sought  the assistance of the Adjudicating officer (eg: Karnataka) where fines have been imposed on Cyber Cafes under Section 45 of ITA 2000 (Residual penalty) which must have been appropriated by the Government as if it is a penalty imposed for a criminal offence. Such cases have not been widely reported.

Now CERT-IN needs to take the responsibility to advise the relevant Adjudicating officer (the IT Secretary of the State where the victim of a contravention resides) that there has been a data breach in his jurisdiction and it warrants a suo moto inquiry and deterrent action.

It is noted that the Minister of IT, Sri Rajeev Chandrashekar has reported today that there is also an attempt to amend the ITA 2000/8 and a draft would be presented for public comments within a month. If required, some of the changes suggested above of creating an Advisory body for the Director General CERT-IN can be formally introduced into the Act.

It may also be noted that ITA 200o envisaged a committee called “Cyber Advisory Committee” which has to endorse any amendment to the Act as per section 88 of ITA 2000. It can also be recalled that the Controller of Certifying Authorities had created one such advisory committee in the year 2000 of which the undersigned was also a part. There was also an Inter-Ministerial working group of which also the undersigned was a part. These committees had limited existence and subsequently most decisions are being taken by the executives in MeitY. Many of these decisions including the Intermediary Guidelines of 25th February 2021 have been systematically challenged in the Supreme Court and inefficient handling of the Shreya Singhal petition lead to Section 66A being scrapped by the Supreme Court without a proper replacement of the provisions as was promised by the then IT Minister.

The creation of the CERT-IN Advisory board will therefore provide a legal strength to the decisions given out  by the Director General of CERT-IN. It could become a “Shadow DPAI” so that any data breach related directions for non personal data under section 25 of the proposed data protection act (DPA 2021) can be issued by CERT-IN instead of by the DPAI.


Also refer: 

CERT-In Re-issues its order of 4th January 2017

Posted in Uncategorized | Leave a comment

DPA 2021-compliance View

Madras Management Association and FDPPI successfully conducted a one day symposium on DPA 2021-Compliance View, at Chennai, on 23rd April 2021 at the MMA auditorium.

A large contingent of participants from ISACA and CySi who partnered the event made the event successful.

Following are some photographs of the event.

The event started with an welcome address from Captain Vijaykumar of MMA,  an inaugural address by Mr Ravichandran, IRS, Commissioner of Income Tax, followed by an overview of DPA 2021 by Naavi.

Subsequently there were 4 panel discussions, one on Legal aspects, One on Technology aspects, One on Professional opportunities and another on Compliance frameworks.

Naavi anchored the entire day’s deliberations while experts from the industry such as Rohan K George, Geetha Jayaraman (Capgemini), Rupak Nagarajan (KPMG), R Vittal Raj, Dr mahesh Kalyanaraman from HP and others participated. From FDPPI, apart from naavi, Directors, Mr Ramesh Venkataraman, Nagendra Javagal, and members such as Govind Srinivasan also participated in the discussions.

The proceedings of the symposium would be available on the MMA youtube channel at present. It may also appear on the FDPPI youtube channel shortly.

The event was part of the National Movement of DPA 2021 awareness that FDPPI has charted out. Hopefully with the availability of other partners in other parts of the country, similar events can be repeated.


Video Links

  1. Inaugural Session

2. Legal Aspects of DPA 2021

3. Technology Aspects of DPA 2021

4. Career opportunities from DPA 2021

5. Audit perspective of DPA 2021.

Posted in Uncategorized | Leave a comment

Join us at the symposium in Chennai on April 23rd…

Madras Management Association (MMA) and FDPPI are organizing a symposium on DPA 2021-Compliance View. ISACA, IACC and CySi are partnering the program and offering special privileges to their members to attend the event.

If you can be in Chennai on the next weekend, make MMA Auditorium as your destination.


Posted in Uncategorized | Leave a comment

National Privacy and Data Protection Compliance Movement

India is planning to pass a law on Privacy and Data Protection and the Bill titled Data Protection Act 2021 (DPA 2021) which is pending in the Parliament. The copy of this Bill originated in 2018 following the Srikrishna Committee report and was later modified as Personal Data Protection Bill 2019 (PDPB 2019)  and a Joint Parliamentary Committee (JPC) has deliberated on the bill for more than two years, held consultations with many stakeholders and has now revised the PDPB 2019. The revised version now referred to as DPA 2021 is ready for final debate in the Parliament and being passed into a law.

Like all laws that have a significant impact on the society, DPA 2021 has also been facing opposition from a section of the industry. As a result,  the mainstream industry has been presented with a skewed view of the proposed law and creating uncertainty in the minds of the industry professionals on whether the law  will be passed and whether it is desirable or not. This has resulted in many organizations delaying the implementation of their compliance program.

We need to  realize that  DPA 2021 is  a continuation and expansion of the currently applicable law namely, Information Technology Act 2000 (ITA 2000) and forms the part of the “Due Diligence” under Section 43A of the ITA 2000. Several Courts have taken cognizance of the Bill and incorporated the provisions in their decisions. Prudent Companies therefore think that the time for compliance has already come and the time upto the actual passage of the Bill and further implementation time that may be provided there in is a cushion against being held liable to the potential penalties envisaged in the Act for non compliance.

FDPPI (Foundation of Data Protection Professionals in India) is an organization that  is  dedicated to the cause of “Data Protection” in India and building a Data Protection Compliance Eco system in India. FDPPI since 2018 has been engaged in outreach programs to build awareness of the Privacy and Data Protection concepts and also the development of professionals who are certified in the relevant skills to provide consultancy to organisations and conduct audits of the “Data Protection Compliance Management Systems”.  FDPPI is today the apex organization in India dedicated to the establishment of the Data Protection compliant environment in India.

During the pandemic times, FDPPI conducted nearly 100 online events on Data Protection regulations and related issues which has already created wide awareness of the forthcoming laws.

As a part of the activities in the post-pandemic scenario, FDPPI is now conducting a series of physical programs in different parts of the country in association with multiple organizations to spread the awareness of the regulation from the compliance perspective.

In this series, FDPPI conducted one program in Bangalore in association with Indo American  Chamber of Commerce (IACC) on 04th March, 2022. On April 23rd 2022, FDPPI is conducting a program in Chennai in association with Madras Management Association, ISACA Chennai Chapter, Cyber Society of India and IACC.

During these programs, we discuss the compliance measures that are required to be followed by the industry steering clear of the controversies. The discussions cover the overview of the law as presented in DPA 2021, the Technology and Business Challenges that the law presents, the Professional opportunities created for Data Protection Officers and Data Auditors and also the Compliance framework exclusively designed for compliance of the law.

FDPPI presently has developed a Compliance framework called “Data Protection Compliance Management Standard of India (DPCMS)” which is focussed on the compliance of DPA 2021 incorporating the best principles of other international frameworks. This is an indigenous approach designed to be a Unified Framework for Indian companies to be compliant with all Personal Data Protection laws and includes some aspects of compliance of Non-Personal Data protection which is part of DPA 2021.

The framework includes innovative and globally unique concepts such as “Data Valuation”, “Distributed Implementation Responsibility”, “ Generation of Data Trust Score” etc. It is flexible enough to be customized and adopted by different industry segments.

Recognizing the difficulties that arise when implementing one law applying  equally to all industries and entities of all sizes, FDPPI is now in the process of developing different “Sector Specific Compliance Code of Practice” which meet the requirements of law under Section 50 of DPA 2021. The Data Protection Authority of India (when operative) can approve such codes of practice after due consideration whether they meet the requirements of the law. This should substantially ease compliance and encourage increased voluntary compliance in the industry. FDPPI has a vision to create tailor made Compliance frameworks for different industry segments with  the participation of  industry representatives.  This is a “First in the World” approach to the customization of data protection law compliance to different sectors and would help in reducing the pain of compliance.

FDPPI however is a Not-for-Profit organization and its bandwidth to conduct the outreach programs in different locations is dependent on the partner organizations. Presently we are working with organizations like IACC and ISACA which have presence in multiple locations. However we are looking for other  suitable partners who are interested in associating with FDPPI for this “National Data Protection Compliance Movement” where we disseminate knowledge, motivate companies to start compliance initiatives and develop sector specific codes of practice.

Come, Let’s together  bring about a Data Protection Revolution in the country.

Posted in Uncategorized | Leave a comment

Seminar on DPA 2021-Compliance Perspective

FDPPI in association with Madras Management Association and other partner organizations will be conducting an offline seminar in Chennai on April 23, 2022.

The theme of the seminar is “DPA 2021-Compliance perspective”.

There is a campaign in the media that the JPC modified version of PDPB 2019 need to be re-drafted.

Firstly the set of objections were centered around

“Government has too much powers under Section 35 of the Act”.

The second was on the “Restrictions on Data Transfer” under Sections 33/34 of the Act.

Now the third set of objections cantering around “Difficulties to Start Ups” and “Compliance Cost” has been raised.

The net objective of all these objections are to lobby with the Government that the current weak set of laws continue and the Tech Companies like the Twitter, Meta and Google can continue their Data Exploits in India without accountability.

FDPPI however believes that Compliance to the data protection regulation is in the interest of the community and even if there is some disruptions in the operations of the Data user organizations, it is not the reason to defer the law indefinitely.

In order not to let the industry slip into complacency thinking that the Data protection  law will not be introduced in India,  FDPPI would  like to present the “Compliance Perspective” so that responsible companies start working towards compliance without being under too much of stress.

On April 23rd, over a day long seminar in Chennai, FDPPI along with FDPPI will discuss the DPA 2021, from the perspective of companies who would like to work towards compliance.

Watch out for more details.


Posted in Uncategorized | Leave a comment

Next Certification Program from FDPPI-Cyber Law College

Cyber Law College as training partner of FDPPI is conducting the next program on Data Protection Laws in India for FDPPI Certification, tentatively starting from April 30th. Details are as follows:

  1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
  2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
  3. Appropriate reading material would be provided during the course.
  4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
  5. The course content would be as follows:
    1. Evolution of Privacy Laws in India
    2. Applicability
    3. Obligations of a Data Fiduciary
    4. Rights of Data Principal
    5. Exemptions
    6. Restrictions on Data Transfer outside India
    7. Penalties and Offences
    8. Data Protection Authority
    9. Adjudication and Cyber Appellate Tribunal 
    10. Data Audit
    11. Data Protection Compliance Management System (DPCMS) and Data Protection Compliance Standard of India (DPCSI)

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi


Posted in Uncategorized | Leave a comment